Vulnerability Details : CVE-2021-43175
The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
Vulnerability category: BypassGain privilege
Products affected by CVE-2021-43175
- cpe:2.3:a:goautodial:goautodial:4:*:*:*:*:*:*:*
- cpe:2.3:a:goautodial:goautodial_api:2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-43175
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-43175
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-43175
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
-
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.Assigned by: disclosure@synopsys.com (Secondary)
References for CVE-2021-43175
-
https://www.synopsys.com/blogs/software-security/cyrc-advisory-goautodial-vulnerabilities
CyRC Vulnerability Advisory: Multiple vulnerabilities discovered in GOautodial | SynopsysExploit;Third Party Advisory
Jump to